A Texas-based research firm has found a critical flaw in TAILS, an anonymity-focused operating system touted by the likes of Edward Snowden, that puts users in danger of being de-anonymized and revealed to the world.
The vulnerability, found by Exodus Intelligence, rests with I2P, an anonymizing network that has been rising in popularity alongside the Tor Project, a far mor prominent tool for using the Internet anonymously.
Although the full technical details have yet to be released to the public—the I2P team has them and is working on a fix—we know that the vulnerability de-anonymizes TAILS users who are connected to the I2P network through remote code execution.
MT "@ampernand the i2p 0 day requires you to have js enabled for it to work." Default setting on Tails allows JS. Oops. ;)— Aaron Portnoy (@aaronportnoy) July 24, 2014
I was expecting something 1337 but was disappointed. the i2p 0 day requires you to have js enabled for it to work.— Jeff (@ampernand) July 23, 2014
“We publicized the fact that we’ve discovered these issues for a very simple reason,” Exodus wrote in a blog post, “no user should put full trust into any particular security solution."
"By bringing to light the fact that we have found verifiable flaws in such a widely trusted piece of code, we hope to remind the Tails userbase that no software is infallible. Even when the issues we’ve found are fixed by the Tails team, the community should keep in mind that there are most certainly other flaws still present and likely known to others.”
I2P, which can be downloaded and used as a standalone program, has been bundled with the TAILS operating system for a little over a year.
Exodus Intelligence, which makes its money by selling critical software vulnerabilities to entities like the United States government, sparked a major debate in the information security community when it announced the existence of flaws in TAILS and then I2P but did not immediately disclose the details to either project’s developers.
Exodus has since brought the teams from TAILS and I2p—both non-profit, volunteer outfits with limited resources and manpower—into the loop.
TAILS and I2P are both open-source projects but, due to their size, cannot often afford full audits from experts.
“We at Exodus are able to do what many software projects cannot,” the company's blog continued, “perform security code audits and find exploitable vulnerabilities releasing them to the public.”
In response to critics, Exodus’s blog explained that the loud airing of the issue was deliberate. “Users should question the tools they use, they should go even further to understand the underlying mechanisms that interlock to grant them security," the company wrote. "It’s not enough to have faith upon security, rather to have an understanding of it.”
More detailed information about the vulnerability will be available to the public soon, representatives from both Exodus and I2P have promised.
Photo via tompagenet/Flickr (CC BY-SA 2.0)